Podman is an open-source Linux-native tool designed to make it easy to find, run, build, share, and deploy applications using Open Containers Initiative (OCI) Containers and Container Images. This comprehensive guide will walk you through the main concepts of Podman and why it is considered rootless.
What is Podman?
Podman is a daemonless, open-source, Linux-native tool designed to manage containers and container images. Podman provides a CLI familiar to anyone who has used the Docker container Engine. Most users can simply alias Docker to Podman without any problems.
How Does Podman Work?
Podman works on daemon-less architecture. You can invoke Podman using command lines to request containers you want to run. But instead of making use of the daemon, the podman uses systemd—a system and service manager for Linux OS—to run and manage containers in the background.
Let’s understand some of the advantages of using Podman:
- Podman creates images that comply with the Open Container Initiative (OCI) standard. This ensures that images built with Podman can be pushed to and pulled from any OCI-compliant container registry, including Docker Hub.
- Podman can run containers as a regular user without requiring root privileges, enhancing security by reducing the risk privilege escalation attacks.
- Podman lets the user manage pods ( a group of one or more containers that operate together). Users can perform operations like create, list, inspect on the pods.
Some disadvantages of Podman are:
- Podman primarily target Linux-based operating systems. Support for other platforms such as windows and macOS, is not as extensive compared to Docker.
- While Podman has gained popularity, the ecosystem around it, including third-party tools, orchestration platforms and support may not be as extensive as Docker’s ecosystem.
Podman vs Docker
Docker and Podman are two types of containerization solutions that are used in software development. Docker has robust features and an extensive ecosystem, while Podman offers seamless integration with Kubernetes.
1. Architecture
- Podman has a daemon-less architecture, whereas Docker depends on the daemon to call and manage containers. Daemon handles all the Docker images, containers, networks, and storage.
- Docker runs on a client-server that is meditated by the daemon that uses REST APIs to request to perform container-related operations.
- Podman, on the other hand, does not require a daemon. It uses Pods to manage containers, which helps users to run rootless containers. So, you do need to root permission to run containers in Podman.
2. Root Priviliges
Docker requires root permissions to manage containers as it runs using the daemon.
But in one of the updates, Docker introduced rootless execution in v19.03. It moved from experimental in Docker Engine v20.10. You would still need to take care of some configurations and third-party packages to run rootless containers on Docker.
3. Security
We do not provide root access to users or applications we don’t trust. But because Docker cannot run rootless as it needs the daemon to access containers, giving root access to everyone is fairly risky and a security hazard.
If someone somehow gains access to one container in Docker, they can misuse all the other containers, images, servers, and more with the same root access.
Podman does not have such security issues because an attacker will harm the containers they have access to but will not be able to gain root access and do further damage to the servers.
This is why Podman is termed as Rootless Podman and that’s why it is considered as safer to use Podman
4. Image Building
Docker not only manages containers but is also capable of creating images.
But Podman is only built to run and manage containers. It is not capable of building images on its own. However, you can use Buildah, an open-source tool, to build Open Container Initiative (OCI) container images.
Now let’s understand, when should you use rootless containers and when should you not
The Rootless containers offers improved security by restricting the access to resources which require root privileges, thus by safeguarding the host system from potential malicious activities.
Rootless containers offers enhanced security, but they may not be suitable for certain scenarios Here are some cases where rootless containers might not be the best choice:
- Need for write access to the host’s file system: If the container requires write access to some specific directories on the host such as /var/lib/mongoDB here the rootless container may not be suitable, because rootless containers operate with reduced privileges as they cannot write to locations on the host’s file system which requires root access.
- Binding containers to ports below 1024 without sysctl reconfiguration: In Unix-like systems the ports which are below 1024 are considered privileged ports and they typically require root privileges to bind whereas Rootless containers by default they don’t have these privileges so you may encounter limitations while trying to bind containers to ports which are lower than 1024 without reconfiguring the sysctl settings, which may not be feasible.
How to install Podman on Ubuntu
Follow the steps below to install Podman:
1. Open the terminal and update the system package repository by running:
sudo apt update
2. Install Podman with the following command:
sudo apt -y install podman
The -y flag automatically answers yes to any prompts during the installation.
3. Verify the installation by checking the podman version:
podman --version
4. To pull an image you can use
podman pull <image-name>
When a user executes a podman command related to images, Podman calls Buildah to perform the action.
5. To create a container from the image which we have just pulled, you have to execute
podman run -d <image id>
The -d specifies to run the container in detached mode which simply means to run the container in the background.
With this you have installed Podman on Ubuntu and also you have understand how Podman is different from Docker.
Similar Topics
PODMAN: THE FUTURE OF CONTAINERIZATION